src/security/PeerOptions.h

   1 /*
   2  * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #ifndef SQUID_SRC_SECURITY_PEEROPTIONS_H
  10 #define SQUID_SRC_SECURITY_PEEROPTIONS_H
  11
  12 #include "ConfigParser.h"
  13 #include "SBuf.h"
  14 #include "security/forward.h"
  15
  16 class Packable;
  17
  18 namespace Security
  19 {
  20
  21 /// TLS squid.conf settings for a remote server peer
  22 class PeerOptions
  23 {
  24 public:
  25     PeerOptions() : parsedOptions(0), parsedFlags(0), sslVersion(0), encryptTransport(false) {}
  26     PeerOptions(const PeerOptions &);
  27
  28     /// parse a TLS squid.conf option
  29     void parse(const char *);
  30
  31     /// reset the configuration details to default
  32     void clear() {*this = PeerOptions();}
  33
  34     /// generate a security client-context from these configured options
  35     Security::ContextPointer createClientContext(bool setOptions);
  36
  37     /// sync the context options with tls-min-version=N configuration
  38     void updateTlsVersionLimits();
  39
  40     /// setup the CA details for the given context
  41     void updateContextCa(Security::ContextPointer &);
  42
  43     /// setup the CRL details for the given context
  44     void updateContextCrl(Security::ContextPointer &);
  45
  46     /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings
  47     void dumpCfg(Packable *, const char *pfx) const;
  48
  49 private:
  50     long parseOptions();
  51     long parseFlags();
  52     void loadCrlFile();
  53
  54 public:
  55     SBuf certFile;       ///< path of file containing PEM format X509 certificate
  56     SBuf privateKeyFile; ///< path of file containing private key in PEM format
  57     SBuf sslOptions;     ///< library-specific options string
  58     SBuf caDir;          ///< path of directory containing a set of trusted Certificate Authorities
  59     SBuf crlFile;        ///< path of file containing Certificate Revoke List
  60
  61     SBuf sslCipher;
  62     SBuf sslFlags;       ///< flags defining what TLS operations Squid performs
  63     SBuf sslDomain;
  64
  65     SBuf tlsMinVersion;  ///< version label for minimum TLS version to permit
  66
  67     long parsedOptions; ///< parsed value of sslOptions
  68     long parsedFlags;   ///< parsed value of sslFlags
  69
  70     std::list<SBuf> caFiles;  ///< paths of files containing trusted Certificate Authority
  71     Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate
  72
  73 private:
  74     int sslVersion;
  75
  76 public:
  77     /// whether transport encryption (TLS/SSL) is to be used on connections to the peer
  78     bool encryptTransport;
  79 };
  80
  81 /// configuration options for DIRECT server access
  82 extern PeerOptions ProxyOutgoingConfig;
  83
  84 } // namespace Security
  85
  86 // parse the tls_outgoing_options directive
  87 void parse_securePeerOptions(Security::PeerOptions *);
  88 #define free_securePeerOptions(x) Security::ProxyOutgoingConfig.clear()
  89 #define dump_securePeerOptions(e,n,x) do { (e)->appendf(n); (x).dumpCfg((e),""); (e)->append("\n",1); } while(false)
  90
  91 #endif /* SQUID_SRC_SECURITY_PEEROPTIONS_H */
  92